CVE-2025-60868

MEDIUM

Statamic Alt Redirect 1.6.3 - SSRF

Title source: llm

Description

The Alt Redirect 1.6.3 addon for Statamic fails to consistently strip query string parameters when the "Query String Strip" feature is enabled. Case variations, encoded keys, and duplicates are not removed, allowing attackers to bypass sanitization. This may lead to cache poisoning, parameter pollution, or denial of service.

References (2)

[Various Sources] https://gist.github.com/kasiasok/870933de18d1400fa8be88e1bcadec6c

[Various Sources] https://statamic.com/addons/alt-design/alt-redirects/release-notes

Scores

CVSS v3 6.5

EPSS 0.0006

EPSS Percentile 18.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-290

Status published

Products (1)

alt-design/alt-redirect 0 - 1.6.4Packagist

Published Oct 10, 2025

Tracked Since Feb 18, 2026